Last June I blogged about the transposition into UK law of the EU’s e-Privacy Directive, and noted that although the corresponding UK law came into force in May 2011, the UK’s privacy regulator gave firms a further year to “demonstrate progress towards compliance”. That year is almost up. The ICO has now indicated that there is little risk of companies facing any enforcement action if they fail to comply with the law. To be a little more precise, the ICO’s position appears to be this:

The EU Directive distinguished between “technical” cookies, which were loosely defined as “those essential to the operation of a website”… such as cookies which reflect the status of your shopping basket and items in it, and “tracking” cookies, which do not contribute to the operation of the site, but serve to gather data about the site’s visitors.

“Technical” cookies are acceptable, under the EU Directive; “tracking” cookies may only be used if the user’s consent has been indicated in some way (with all the potential practical problems that might entail).

The UK Privacy and Electronic Communications Regulation (and I can only apologise for the unfortunate US English connotations of that acronym), “does not distinguish between cookies used for analytical activities and those used for other purposes”.

As a result, the ICO “does not consider analytical cookies fall within the ‘strictly necessary’ exception criteria” – so user consent is required.

…

BUT… the ICO is less likely to take formal action – even for analytical cookies – if they are first-party cookies [see Mike O’Neill’s comment below, and my reply], if they demonstrate “a low level of intrusiveness”**, or there is a low level of risk of harm to individuals.

To cut it short: it’s not hard to characterise the ICO’s position as “we’re going to qualify any possible intervention so rigorously that, in the end, we won’t actually do anything about cookie use”.

What should one conclude?

First, let’s give the ICO the benefit of the doubt and ascribe their semi-recumbent posture to pragmatism rather than spinelessness. Arguably, the EU’s Directive on cookies was a well-intentioned piece of legislation, but hopelessly impractical because it depended entirely for its effectiveness on factors outside the EU’s control (the willingness of browser manufacturers to implement meaningful controls). On that basis, the ICO can maintain that it has more important things to do than find ways of shoring up someone else’s fundamentally flawed legislative initiatives.

Second, if you are a company with a possible compliance obligation under the UK’s PECR law, it looks like you can score the risk of UK regulatory action as “low”… though if you choose to do absolutely nothing about compliance, don’t blame me if you suffer reputational damage as a result. You should also keep an eye out for anything the ICO subsequently says about third-party cookies, because so far the “wiggle room” only extends to first-party ones.

Third, where does this leave the European Commission? Well, on one hand, they are still dependent on browser maunfacturers’ progress towards a robust “Do Not Track” implementation – but it is perhaps now clear to the Commission that a unilateral attempt to impose a cookie law under those circumstances was unrealistic. On the other hand, the shaky status of the Directive should also remind the Commission how risky it is to try and legislate at the level of specific technical mechanisms, rather than defining a clear policy objective and leaving the technical details to the technicians. Viviane Reding did the Directive no favours when she explained that it was based on the distinction between “technical” cookies [nice] and “spy” cookies [nasty]. Framing the discussion in those terms makes life almost impossible for the regulators, does nothing for the privacy interests of the user, and gives malevolent online services a free run at any privacy-hostile tracking technique that is not cookie-based.

Cookie regulation may have seemed like a temptingly achievable target, but I think the Commission needs to acknowledge the following problems:

It was a bad idea to frame privacy legislation with reference to a specific techical mechanism, rather than relevant privacy-related practices on the part of the service providers;

It was a bad idea to leave an EU law so much at the mercy of critical success factors outside EU control, without seeking some form of consensus before drafting it;

It was a bad idea to focus so closely on cookies that other privacy-hostile tracking techniques pass un-noticed.

Let’s be optimistic, though: if the Commission can learn from the shortcomings of this legislative initiative and maintain the political will to try again, it could do better.

**You might, of course, think that “a low level of intrusiveness” was exactly the problem that the Directive sought to address in the first place, by insisting that users be given the opportunity to express clear, informed, unambiguous, prior consent. I couldn’t possibly comment.

Category:

Robin Wilton
Research Director 26 years IT industry

Robin Wilton is a research director with a particular interest in digital identity and privacy (and their relationship to public policy), access control and single sign-on, and the productive use of public key infrastructures. Read Full Bio

Thoughts on UK ICO “highly unlikely” to enforce law on cookie consent

The ICO have said that they are unlikely to pursue publishers whose sites place cookies whose use is only for analytics, The key word is *only*. They say nothing about a difference between 1st and 3rd party. In the case of Google Analytics, which are technically 1st party because they reside in the web publisher’s domain, the issue to consider is whether the unique user identifying value they encode in a 2 year persistant cookie is used only for analytics purposes. This value is sent to Google every time we visit a site that uses Google Analytics.
Bear in mind their new privacy policy now applies to all data they gather including analytics.
The CNIL (the French regualator) have asked Google to answer whether they use the UUID GA cookies to inform their behavioural advertising proceses. It will be very interesting, especially for publishers trying to decide what all this conflicting advice means to them, what Google say about this.

On the Article 5(3) regulations, this does not require browser manufactures to come up with a technical response. It is simply a requirement that publishers do not cause the storage of anything in a citizen’s browser unless the citizen has given informed consent.

There are technical solution to help them with this that are not browser based. In fact the DNT standard only muddies the waters because it leaves moot what should happen if a citizen has not made a specific decision to enable it.

The Article 5(3) requirement is not only about cookies, but applies to any method or technique that uses stored information to track citizens. All browser fingerprinting without citizen consent, other than the crude commercially useless sort possible using IP addreses, is now forbidden in Europe.

Thanks Mike – very useful comments. On the topic of 3rd-party cookies… I meant to include a link to the Register article and the quote it includes from the ICO. I’ve added that link now. The quote says:

“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action. The ICO will also be issuing further guidance shortly which will provide further details on analytics cookies reiterating that they are covered by the new changes. We will also give our view on the applicability of implied consent for these and other cookies.”

You’re absolutely right about Art 5(3) – the pity is that the Commission framed the discussion so specifically around cookies.

You’re also right that the operation of Google Analytics (for example) blurs the line between 1st party and 3rd party cookies because it is set by the 1st party but then transferred to a 3rd party. I’d argue that that is a subtlety from which the Directive, in its current form, fails to protect us…

Robin,
I think the ICO used the term “1st party” here to refer to cookies placed by the publisher, either server-side or client-side, to implement their own analytics function. In this case the publisher knows that the cookies are *only* used for the purpose of analytics, and is able to verify that.
The UUID value encoded in a cookie placed by Google Analytics script is sent out-of-band in an Ajax call back to Google and the publisher has no way of knowing what it will be used for. Although this cookie is 1st party in the technical http sense, it is being read and acted upon by a 3rd party, and this probably is what the ICO is referring to.
They should explain what they meant, the lack of clarity is very unhelpful to publishers trying to comply with the law, and those that want to continue tracking people without their knowledge are the only ones that can benefit from the confusion.

About

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.